InfoSec Training – Still Pertinent
In each organization, there are the different areas of vulnerabilities. As with any organization, these can be located with the software, hardware, or staff members in general. With the first two, the infosec team can endeavor to harden the system to an appropriate level. The last item, the staff, provides a large attack surface. It is estimated that approximately 80% of the data leaks are due to staff. With other attacks, there may be several steps. The attacker may need to gain access to the network, to later look for Admin credentials. With the staff/users, each person is a potential target. Unfortunately, a successful attack may require only one user clicking in a link or an embedded picture. The picture of the kitten playing with a ball of yarn may be malware. Once the person double clicks, it too late. These also may be very well written, and designed to fool the users. The successful attack itself could also be the result of someone just not watching what they were clicking on.
Although this does happen occasionally, there are opportunities for training. One area that requires regular training and reminders. This has been one of the most favored areas to attack.
This regular training is a good baseline, however depending on the audience, they may not appreciate it. So they may gauge their understanding of the materials, provide a quick quiz to the users. This should not be written to explore the conceptual or operational minutiae, but to the point where the user has a working knowledge of what to look for in an email that is unexpected. These brief quizzes should not only be at the annual employee IT training but also during the year.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.